Wednesday, May 11, 2005
Develop, Test, and Deploy SSL enabled applications

I have been having a discussion with one of our developers about SSL.  He is updating some code and wanted to make sure that anyone who used the application would be doing so via SSL.  I believe the discussion will be valuable to many so I wanted to share some tips.

 

There are a couple of simple ways to guarantee that users are using SSL.

 

#1 In IIS you can set the application to require SSL so anyone trying to access it over HTTP will get an error.  I do not like this option for 2 reasons.  It requires extra IIS configuration to implement and I like to avoid throwing errors if possible.

#2 Applications can check for the use of SSL and force a redirect if it is not being used.  This is my preferred and recommended approach for all applications that involve sensitive data. 

 

Here is some simple VB.NET ASP.NET code that does the trick for option #2.

 

‘ Force users of this application to come in using SSL

If Not Request.IsSecureConnection Then Response.Redirect(Request.Url.ToString.Replace("http:", "https:"))

 

The biggest question this creates is how to handle the development and testing environments where SSL certificates may not be installed.  I have good news for you there.  Microsoft has a couple of tools for creating self-signed certificates that are prefect for development environments.  You can easily install a test certificate on your own development machines.

 

The IIS 6.0 Resource Kit includes a tool called SelfSSL that you can use to make certificates.  I prefer to use MakeCert.  I use it enough that I put together a simple Create_Cert.BAT file to make it even easier to use.  The file takes in the machine name as a parameter (%1%).  You can find documentation on the various options in MSDN.

 

makecert -r -pe -n "CN=%1%" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -nscp

  • Copy the MakeCert.exe tool and create the Create_Cert.bat file on your machine.
  • Open a Command Prompt window and change to the directory where you put the makecert.exe and the create_cert.bat files.
  • Execute the create_cert.bat using the machine name of your PC as a parameter.  Typically we use LOCALHOST on our local machines. (ex. C:\tools\create_cert.bat localhost)
  • In IIS you can now set the Default Web Site to use your test SSL certificate. 
    My Computer -> (right-click) Manage -> Services and Applications -> Internet Information Server -> (right-click)Default Web Site -> Properties -> Directory Security -> Server Certificate – Assign Existing.

I hope you agree with me that it is easy to develop and securely interact with customers over with SSL.  If you are looking for affordable SSL certificates for production servers you can now get them for as little as $29.95 at www.GoDaddy.com.

 

 

 

Technology
5/11/2005 9:11:08 AM (Mountain Daylight Time, UTC-06:00)  #    Disclaimer  |  Comments [0]  |  Trackback
Related Posts:
Code Trip
Change Aware Generic List
CodePlex : The latest in Open/Shared source hosting
Development methodologies go retro
Boise Camp is just 2 weeks away
Boise is booming for .NET developers
Tracked by:
"games free online video poker" (games free online video poker) [Trackback]
"party poker" (party poker) [Trackback]
"casino games" (casino games) [Trackback]